Personal Data Processing

Introduction

This notice provides detailed information about how ETERNEL agency (“Data Controller”) processes your personal data, in accordance with the General Data Protection Regulation (GDPR) and relevant Polish data protection laws. This document complements our general Privacy Policy available at [Link to your Privacy Policy page, e.g., www.eternelt.agency/privacy-policy].

Data Controller Details

Name: ETERNEL agency
Registered Address: Al. Jana Pawła II 58/2.1, 31-571 Kraków
Email for Data Privacy Inquiries: [email protected]

Categories of Personal Data Processed

We process various categories of personal data, which may include:

• Identification Data: Name, surname, date of birth, national ID/passport details (for legal verification, e.g., anti-money laundering checks).
• Contact Data: Email address, phone number, postal address.
• Financial Data: Bank account details, transaction history, property value, budget information (relevant to property transactions).
• Property-Related Data: Property preferences, viewing history, offer details, property specifications, photographs of properties for sale/rent.
• Technical Data: IP address, browser type, device information, website usage data (via analytics and cookies).
• Communication Data: Records of correspondence (emails, chat, phone calls, social media interactions).

Legal Basis and Purposes of Processing

We process your personal data based on the following legal grounds under GDPR:

• Performance of a Contract (Art. 6(1)(b) GDPR): To fulfill our contractual obligations to you (e.g., facilitating a property sale/purchase, managing your property, providing rental services, responding to pre-contractual inquiries, arranging viewings, preparing offers).
• Legal Obligation (Art. 6(1)(c) GDPR): To comply with legal duties (e.g., anti-money laundering regulations, tax obligations, consumer protection laws, record-keeping requirements).
• Legitimate Interests (Art. 6(1)(f) GDPR): For our legitimate business interests, provided your rights and freedoms are not overridden (e.g., improving our services, preventing fraud, direct marketing to existing clients regarding similar services, website analytics, ensuring network and information security, debt collection).
• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent for specific processing activities (e.g., for sending marketing communications not covered by legitimate interest, or for certain non-essential cookies). You have the right to withdraw consent at any time.

Recipients or Categories of Recipients of Personal Data

Your personal data may be disclosed to:

• Internal Staff: Our authorized employees and agents who require access to perform their duties related to our services.
• Service Providers: Third parties acting on our behalf who provide services such as IT support, cloud hosting, payment processing, legal advice, marketing, accounting, property valuation, professional photography, and public notaries.
• Transactional Parties: Other parties directly involved in a property transaction (e.g., potential buyers or sellers, their legal representatives, financial institutions if relevant to a transaction).
• Public Authorities: Law enforcement, regulators, or other government bodies, when legally required to disclose information (e.g., for tax purposes or judicial orders).
• [If you share data with specific business partners for joint ventures or referrals, specify them here].

International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA) if necessary for the purposes outlined (e.g., if you are an international client or a property is located outside the EEA, or if our service providers use servers outside the EEA). We ensure that such transfers comply with GDPR by implementing appropriate safeguards, such as:

• Using Standard Contractual Clauses (SCCs) approved by the European Commission.
• Transferring data to countries recognized by the European Commission as providing an adequate level of data protection.

Data Retention Periods

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected, or as required by legal, accounting, or reporting obligations.

• Contractual Data: For the duration of the contract with you, and typically for a period of [e.g., 6-10] years thereafter to comply with legal obligations (e.g., tax, civil law claims).
• Inquiry Data: Up to [e.g., 12-24] months after the last contact if no contract is concluded, to allow for follow-up and service improvement, unless a shorter period is required.
• Legal Compliance Data: For periods specifically mandated by law (e.g., [e.g., 5 years] for anti-money laundering checks after the business relationship ends).
• Marketing Data: Until you withdraw consent or object to processing, or [e.g., 3-5 years] from the last interaction if no consent is required.
• Website Usage Data (Analytics): Typically [e.g., 26 months] as per Google Analytics default settings, or as specified in our Cookie Policy.

Your Data Protection Rights

As a data subject under GDPR, you have the following rights:

• Right of Access (Art. 15 GDPR): To obtain confirmation of whether your personal data is being processed, and to access that data, along with information about the processing.
• Right to Rectification (Art. 16 GDPR): To request correction of inaccurate personal data or completion of incomplete personal data concerning you.
• Right to Erasure (‘Right to be Forgotten’) (Art. 17 GDPR): To request the deletion of your personal data under certain conditions (e.g., data is no longer necessary for the purpose, you withdraw consent, or processing is unlawful).
• Right to Restriction of Processing (Art. 18 GDPR): To request the temporary halt of processing your data under certain conditions (e.g., accuracy is contested, or processing is unlawful but you oppose erasure).
• Right to Data Portability (Art. 20 GDPR): To receive your personal data, which you have provided to us, in a structured, commonly used, machine-readable format, and have the right to transmit that data to another controller, where processing is based on consent or contract.
• Right to Object (Art. 21 GDPR): To object to the processing of your personal data, particularly where based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Art. 7(3) GDPR): If processing is based on your consent, you can withdraw it at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
  To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month of receipt.

Right to Lodge a Complaint with a Supervisory Authority

If you believe that the processing of your personal data infringes GDPR, you have the right to lodge a complaint with a supervisory authority. In Poland, the relevant authority is:

• Prezes Urzędu Ochrony Danych Osobowych (UODO)
• Address: ul. Stawki 2, 00-193 Warszawa, Poland
• Phone: (22) 576 07 00
• Website: https://uodo.gov.pl/

Automated Decision-Making and Profiling

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals.

Changes to This Notice

This Personal Data Processing Notice may be updated periodically to reflect changes in our practices or legal requirements. We will inform you of any material changes by posting the new notice on our website and updating the “Last Updated” date. We encourage you to review this notice periodically.

Contact Us

For any questions regarding this Personal Data Processing Notice, please contact us: